New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protocol oddities - what are Niantic up to? #864
Comments
The following is also new code that seems to be relevant function zd(a, b) {
var c = "mxkd";
a.za[b] && 0 < a.za[b].length && a.za[b].shift().invoke(function(a) {
c = a;
});
wd(a, b);
return c;
}
function wd(a, b) {
if (a.nb[b] && 0 < a.nb[b].length) {
var c = a.nb[b].shift(), d = c.gf, c = "dkxm" == d ? new Pf : new a.sc[c.eb](d);
a.za[b] || (a.za[b] = []);
a.za[b].push(c);
}
}
function ud(a, b, c) {
var d = c.eb && a.sc[c.eb];
if ("dkxm" == c.gf || d) a.nb[b] || (a.nb[b] = []), a.nb[b].push(c);
}
function td(a, b, c) {
a.eb = b;
if (!a.sc[b]) {
var d = !1;
if (c) try {
eval(c);
} catch (e) {
d = !0;
}
d || (a.sc[b] = botguard.bg);
}
}
function vd(a, b) {
this.gf = a;
this.eb = b;
}
function Pf() {}
Pf.prototype.invoke = function(a) {
a("dkxm");
}; |
... and another piece of the puzzle is a large piece of (encrypted?) javascript in the main html page, included just before gen_dashboard.js itself. <script type="text/javascript" language="javascript">
var B = "gUxMl-AzWMT7Gaa0PPntg58WW5trb6QbxSqpL8w2vCI";
var CS = {"getPortalDetails": ["TH8pbe1OXfN7hA5Ctt1mRBo3/5hR+RC3YSlgu9lKV... |
In the Intel page itself: /* Anti-spam. Want to say hello? Contact (base64) Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29tCg== */ This is the tool which is used by Google itself to protect against automated account creation. |
In this case I don't think it's for catching account creation - that's not something that can be done on the intel page itself. The fact that it's "getPortalDetails" that's in the |
I think its a lot more than a honeypot / spam protection of account creation. The response on I don't see the extra requests on others, only |
I didn't mean it is for account creation. I mean Niantic didn't write their own bot protection instead they use the code which google uses to protect their account creation. |
In plain english please: does this mean that is safe or not to use IITC? I can't imagine playing ingress without IITC :( |
For a plain-english response, see my comment on this post in the IITC community |
Also relevant:
td loads what is global B into the DOM. The iterator is how ud, vd and wd are called to organize the seeded data with the passed parameters. |
The botguard.bg function the code calls decodes to
|
Just dropping a link here guys as it might be useful for code deobfuscation http://jsnice.org/ |
Just a little question: why don't you use niantics methods for creating requests (pd.prototype.Gg) instead of building own? |
That's literally what I ended up doing. I'll throw up a jsfiddle. You can just use niantic's own code to create the new variables. Based on what I saw, it doesn't look at the guid of the target portal and it does seed with a random number, so every call is different. |
@radopi The problem with using Niantic's methods is that they change the names of them on every site update. There's been another release this evening, and that method is now called While IITC can detect some class/methods from their contents (we do that to extract the version string), reliably doing that for multiple methods becomes tricky to do reliably. This site update is good though - before this, I didn't know which of the two character names would change as part of their usual site updates, and which, if any, would remain static. For example, the B and CS variables in the main html page remain the same, while the initialisation line in the main script has changed from Making this work right does involve some guesswork, and may involve some assumptions on what does/doesn't change between site updates. I want to be as certain as reasonably possible IITC's code in this area is right - as I think it's safer for users to be passing the current 'blank' strings rather than the random looking strings that look right to us, but Niantic can detect are wrong in some way. I've had a quick glance at the new update and I think I have a fair idea of what needs to be done. I just need to have a closer look again, to ensure I'm not making any daft mistakes. |
@jonatkins the new param was added, because they changed the CS array to no longer contain the method names and added nd, which contains them |
I've had a further look at the code. A possible major pitfall is that, for the relevant requests (getPortalDetails only, at this time), the server can return a string which is then passed to Where is this - follow the response handling code in rd.prototype.Wg
Now, I've only seen empty strings so far in the server responses, so if this continues in most cases, IITC can still work OK when this is the case. However, as soon as we get a non-blank string, there's very little we can do with it in a safe/sensible way. As, for now, Niantic are only protecting the getPortalDetails method, and no others have this behaviour, some parts of IITC will still work. So, my plan is, once I've understood the flow of the code fully, is to
Perhaps, once we see some examples of returned strings to eval, it will be possible to handle them in a sensible way - but before then there's nothing we can do sensibly with them. Of course, each site update could add/change code in this area again, breaking anything we do. Fingers crossed we can get something that works well enough. |
@jonatkins maybe you could add an option to send the data to your server, so you have more data |
Now, getPlexts is also affected. |
@radopi that sounds like a good idea but there is a privacy problem with doing that as well. Also, should always be an Opt-in option and a way to disable if you wanted to. |
I got myself this parameters. |
Various recent commits, ending with 92aae95, should implement all is needed for this. |
Just looking at the network protocol from the stock intel map, and I notice a couple of extra parameters included in each request, that actually have some odd (obsfucated) values.
IITC currently doesn't recreate these correctly (it passes in an empty string), and the intel map still works successfully - but this protocol difference does mean that
The two extra parameters are called
b
andc
, and are added around the same place that the version code (v
) is added to any request parameters. As of the stock intel update of 2014-08-25, this is in the following:Note the lines after
c.v = ...
, wheresd.g()
is called, then thec.b
andc.c
values are set in the sent request.The text was updated successfully, but these errors were encountered: